How does EchelonGraph detect ISO 27001 A.5.17 violations?

EchelonGraph automatically detects ISO 27001 A.5.17 violations using scanner rule ISO27001-A517. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for ISO 27001 A.5.17?

What password policy is enforced? Is MFA universal? What secret-scanning is in CI/CD + public repos? How are long-lived credentials rotated?

📋ISO 27001 A.5.17Rule: ISO27001-A517high

Authentication Information

Description

Allocation and management of authentication information shall be controlled by a management process; users shall be made aware of their responsibilities for protecting it.

⚠️ Risk Impact

Credentials handled poorly (sent via email, posted in Slack, reused across systems) are routinely the breach entry point. Every modern breach analysis lists 'credential issues' in its root cause.

🔍 How EchelonGraph Detects This

ISO27001-A517Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Enforce strong password policy via IdP (length, complexity, rotation). Require MFA universally. Use password manager for staff. Eliminate credentials in source code (gitleaks, TruffleHog, pre-commit hooks). Rotate long-lived credentials.

💀 Real-World Attack Scenario

GitHub disclosed (Feb 2024) that 6.5M secrets had been pushed to public repos in the preceding year — API keys, OAuth tokens, database credentials. Most companies don't know their exposure until a researcher (or attacker) finds it. One enterprise SaaS company discovered 14 active AWS access keys in their public commit history; total exposure cost: $1.8M.

💰 Cost of Non-Compliance

Credential-leak breaches: avg $4.45M (IBM 2024). GitHub Secret Scanning blocked 12M secret-leak attempts in 2023.

📋 Audit Questions

1.What password policy is enforced?
2.Is MFA universal?
3.What secret-scanning is in CI/CD + public repos?
4.How are long-lived credentials rotated?

🎯 MITRE ATT&CK Mapping

T1552.001 — Credentials in FilesT1110.004 — Credential Stuffing

⚡ Common Pitfalls

⛔Password policy without MFA — useful against guessing only
⛔Secret scanning in private repos only — public repos missed
⛔No staff training on credential-handling (sending via Slack DM, etc.)

📈 Business Value

Robust credential management is the single highest-frequency security topic. Pays back in breach prevention multiple times per year.

⏱️ Effort Estimate

Manual

20-40 hours initial program + ongoing tuning

With EchelonGraph

EchelonGraph integrates with GitHub Secret Scanning + cloud IAM audit

🔗 Cross-Framework References

SOC2-CC6.1PCI-8.6

Automate ISO 27001 A.5.17 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →